FedRAMP (Federal Risk and Authorization Management Program) is a government-wide program that streamlines the assessment, authorization and continuous-monitoring (ConMon) requirements for cloud-based IT services. It is how the federal government ensures that its cloud IT services do not put sensitive data or systems at unnecessary risk. Bottom line, Cloud Service Providers (CSPs) wanting to serve US government agencies must first obtain a FedRAMP Authorization to Operate (ATO).
Designed to apply the National Institute of Standards and Technology’s (NIST) Risk Management Framework (RMF) approach to cloud solutions, the FedRAMP program embraces the concept that CSPs can build and verify their compliant Cloud Service Offerings (CSOs) once and use that verification to deliver it multiple times to multiple agencies.
FedRAMP ATO Acceleration with AWS
Amazon Web Services (AWS) offers IaaS and PaaS services that have been accredited at the FedRAMP High and Moderate levels. AWS offers two regions – East/West (Commercial) and AWS GovCloud (Government Cloud). Cloud Service Providers (CSP) looking to provide SaaS solutions to US Government or DOD agencies can accelerate their FedRAMP compliance project by leveraging and developing their cloud solution using pre-accredited services.
FedRAMP compliance requires implementing NIST SP 800-53 based controls that mandate management, operations and technical capabilities that must be implementing by a Cloud Service Provider. Using IaaS and PaaS services that have been previously accredited, allows inheriting controls which then don’t have to be implemented by the CSP. Additionally, AWS offers a variety of value-added services that allow for the rapid implementation of technical controls related to vulnerability management and continuous monitoring. A great example is Physical and Environmental Protection (PE) controls, dealing with protecting the data center and physical assets. A hyper-scale cloud service like AWS already has met all of the requirements associated with PE controls. This allows a CSP to leverage those controls and avoid having to implement these controls.
AWS offers a number of other accelerators, including the Landing Zone Accelerator (LZA) and a specialized set of partners through the ATO on AWS program. ATO on AWS partners have deep domain expertise with delivering compliant architectures, documentation and continuous monitoring services. Using experienced subject matter experts in AWS, security and compliance can help reduce the time and cost of FedRAMP compliance projects.